CRA Annex III important products — Class I and Class II explained

The Cyber Resilience Act categorises every product with digital elements into one of three risk tiers, each with its own conformity assessment regime:

• Standard products — everything not listed in Annex III or IV. Module A self-assessment by default.
• Important products — listed in Annex III, split into Class I and Class II.
• Critical products — listed in Annex IV. Always require Notified Body plus EU certification scheme.

This article walks through Annex III in full — every Class I and Class II category, the products that fall under each, the conformity assessment modules permitted, and the Notified Body engagement implied.

Why Annex III matters

For a product manufacturer, Annex III determines:

1. Whether Module A self-assessment is available — for Class I when a harmonised standard is fully applied, yes; for Class II, no
2. Whether a Notified Body must be engaged — Class I sometimes, Class II always
3. The lead time and cost of conformity assessment — Module A self-assessment is weeks; Module B+C with NB is months
4. The Technical File rigor required — NB-assessed Technical Files are typically more comprehensive

Misclassifying a Class II product as standard (Module A) is one of the most expensive mistakes a manufacturer can make under CRA — the product is non-compliant from day one and market surveillance can order withdrawal.

Class I — lower-tier important products

Article 32(2)(a) of the CRA permits, for Class I products, either Module A self-assessment (when the manufacturer fully applies the listed harmonised standards) or Module B+C/H with Notified Body involvement. The Annex III Class I list:

Identity management and access control

• Identity management systems and privileged access management software and hardware — IAM platforms, PAM tools, single sign-on systems
• Authentication and access control readers — including biometric readers (fingerprint, face, iris)

Software for end users

• Standalone and embedded browsers — web browsers as installable applications, browsers embedded in IoT product UIs
• Password managers — both consumer and enterprise password vaults
• Software that searches for, removes, or quarantines malicious software — antivirus, EDR, anti-malware tools

Network and connectivity

• Products with digital elements with the function of virtual private network (VPN) — both consumer VPN services as installed software and enterprise VPN appliances
• Network management systems — NMS platforms, SDN controllers, network orchestration tools
• Security information and event management (SIEM) systems — log aggregation and analysis with security focus
• Boot managers — bootloaders for end-user systems (typically not embedded firmware bootloaders for OEM products, but verify with NB if unclear)
• Public key infrastructure and digital certificate issuance software — CA software, certificate management platforms
• Physical and virtual network interfaces — NIC hardware, virtual switches with network function
• Routers, modems intended for the connection to the internet, and switches — home and SMB networking equipment
• Operating systems — for products that are not themselves Annex IV (see Class II for hypervisors)

Silicon with security functionalities

• Microprocessors with security-related functionalities — CPUs with HSM, secure enclave, TrustZone, or similar features marketed as security capabilities
• Microcontrollers with security-related functionalities — MCUs with secure boot, secure key storage, secure update support
• Application Specific Integrated Circuits (ASICs) and Field Programmable Gate Arrays (FPGAs) with security-related functionalities — ASICs and FPGAs designed and marketed with security functions

The interpretation of "security-related functionalities" is the practical question. A general-purpose MCU is not in scope; an MCU marketed with secure boot, key storage, or attestation features is. Where ambiguous, conservative interpretation places the product in scope.

Smart home and consumer connected products

• Smart home general purpose virtual assistants — Alexa-like, Google Assistant-like devices
• Smart home products with security functionalities — smart door locks, security cameras, baby monitoring systems, alarm systems
• Internet-connected toys with social interactive features or location-tracking functions — connected toys that chat with children, that track child location, or that interact with other users

Wearables

• Personal wearable products to be worn or placed on a human body with the purpose of monitoring health — fitness trackers, smartwatches with health monitoring, continuous glucose monitors (also subject to MDR)
• Wearables intended for use by and for children — connected toys worn by children, child smartwatches

Class II — higher-tier important products

Article 32(2)(b) requires Module B+C, B+D, B+E, B+F, or H for Class II — always with Notified Body involvement. Module A is not available. The Annex III Class II list is shorter:

• Hypervisors and container runtime systems — type 1 and type 2 hypervisors, Docker, containerd, Kubernetes runtimes
• Firewalls, intrusion detection systems, and intrusion prevention systems — network firewalls (hardware and software), host-based firewalls, IDS, IPS
• Tamper-resistant microprocessors — silicon with anti-tamper features
• Tamper-resistant microcontrollers — secure elements, secure microcontrollers in payment cards, secure tokens

A product implementing both Class I and Class II features is classified as Class II for conformity assessment — the higher tier applies to the whole product.

Annex IV — critical products

Annex IV products always require Notified Body involvement plus an EU certification scheme under Article 8. The current Annex IV list:

• Hardware Devices with Security Boxes — hardware security modules (HSMs), payment security modules, cryptographic key managers in hardware
• Smart meter gateways within smart metering systems as defined in Article 2(7) of Directive (EU) 2019/944
• Smartcards or similar devices, including secure elements — banking smartcards, SIM cards, identity smartcards, eID cards

The Commission can amend Annex IV by Delegated Act under Article 7 of the CRA. Manufacturers of products even potentially in Annex IV should monitor Official Journal publications for amendment proposals.

Conformity assessment by tier

For Class I products choosing Module A, the full application of the listed harmonised standards is the trigger. As of mid-2026 the principal harmonised standard family is EN 18031 — see RED Delegated Act + EN 18031 walkthrough. Partial application of the harmonised standard pushes the product into Module B+C or H with Notified Body involvement.

How to classify your product

A practical sequence:

1. Read your product's primary function and its marketing description. What is the product for?
2. Match against the Annex III Class I list. Does the primary function correspond to one of the listed categories?
3. Match against Annex III Class II list. Does the product implement any Class II function?
4. Match against Annex IV. Does the product fall under critical?
5. If both classes apply, take the higher tier. A product implementing both Class I and Class II = Class II.
6. If unclear, get a Notified Body opinion before placing on the market.

Cenitia's auto-mapper performs steps 1-5 automatically from your product description, BOM, software architecture, and intended use. The output identifies the CRA tier and the corresponding conformity assessment module recommendation.

Common classification mistakes

• Treating a feature as the primary function. A smart camera with optional face recognition is not necessarily an "identity management product" under Annex III. Primary intended function is what matters.
• Assuming consumer IoT is standard. Many connected consumer products fall under Annex III Class I — smart home security products, connected toys with social features, child wearables — and require Module B+C/H if harmonised standards are not fully applied.
• Self-classifying a Class II product as standard. A product with hypervisor function or firewall function is Class II. Module A is not available regardless of how the manufacturer interprets the role.
• Forgetting Annex IV amendments. The Commission can amend Annex IV by Delegated Act. Monitoring the Official Journal is required.
• Citing "important product" without specifying Class I or II. The two classes have different conformity assessment regimes — citing just "Annex III" without specifying the class is incomplete.

How Cenitia helps

Cenitia's auto-mapper identifies whether your product falls under Annex III Class I, Class II, or Annex IV based on the product description, intended use, software architecture, and BOM. The output recommends the conformity assessment module path and, when Notified Body involvement is required, suggests NBs designated for CRA in the NANDO database. The Technical File template adapts to the tier — Class II and critical products get the additional NB-required sections pre-populated.

For Class II and critical product manufacturers needing Notified Body engagement support, our parent company Inovasense provides consulting on NB selection, Technical File preparation for NB review, and audit response.

Frequently asked questions

What is the difference between standard, important, and critical products under the CRA?

The Cyber Resilience Act categorises products with digital elements into three risk tiers. Standard products are everything not listed in Annex III or IV — they use Module A self-assessment by default. Important products are listed in Annex III, split into Class I (lower tier — Module A with full harmonised standard, or Module B+C/H) and Class II (higher tier — Module B+C, B+D, B+E, B+F, or H always with Notified Body involvement). Critical products are listed in Annex IV — they always require Notified Body assessment plus EU certification under a scheme set by the Commission.

Which products are listed in CRA Annex III Class I?

Class I (lower-tier important) covers products including: identity and access management systems, browsers, password managers, antivirus and malware-removal software, VPN products, network management systems, SIEM systems, boot managers, public key infrastructure software, network interfaces, operating systems (not Annex IV), routers and modems for internet connection, switches, microprocessors and microcontrollers with security functionalities, security-related ASICs and FPGAs, smart home general-purpose voice assistants, smart home products with security functionalities (smart locks, security cameras, baby monitors, alarms), internet-connected toys with social or location features, and personal wearables for health monitoring or for use by children.

Which products are listed in CRA Annex III Class II?

Class II (higher-tier important) is a shorter list covering: hypervisors and container runtime systems, firewalls and intrusion detection/prevention systems, and tamper-resistant microprocessors and microcontrollers. Class II products always require Notified Body involvement — Module B+C/D/E/F or H. Module A self-assessment is not available for Class II.

What are CRA Annex IV critical products?

Critical products under Annex IV always require Notified Body involvement plus an EU certification scheme operated by the Commission. The current Annex IV list covers: hardware devices with security boxes (cryptographic security modules), smart meter gateways within smart metering systems as defined in Directive (EU) 2019/944, and smartcards or similar devices including secure elements. The list can be amended by Commission Delegated Act under Article 7 of the CRA.

How do I know if my product falls under Annex III?

Read the Annex III list and compare against your product's primary intended function. Annex III is purpose-driven, not feature-driven: a smart camera that happens to do face recognition is not automatically a 'security' product unless its primary function is security monitoring. Where the categorisation is unclear, request a formal opinion from a Notified Body before placing the product on the market. Cenitia's auto-mapper classifies your product against Annex III as part of the conformity assessment recommendation.

Can a product fall under both Annex III Class I and Class II?

Yes. A single product can implement multiple functions across both classes. The conformity assessment then applies the higher tier — Class II — to the whole product. Module B+C/D/E/F or H with Notified Body involvement covers the entire conformity demonstration regardless of which specific feature triggered Class II.

What conformity assessment module applies to Annex III important products?

Article 32(2) of the CRA prescribes the modules. For Class I products: Module A is available only if the manufacturer fully applies the listed harmonised standards, otherwise Module B+C or H. For Class II products: Module B+C, B+D, B+E, B+F, or H — Module A is not available. The choice within the permitted set depends on the manufacturer's production scale, product lifecycle pattern, and Notified Body availability.

Related from the Library

• CRA Annex I explained — the 21 essential cybersecurity requirements every product must meet
• CRA timeline and reporting obligations — the December 2027 enforcement timeline
• Conformity assessment Modules A through H — the procedures Class I/II/critical trigger
• When you need a Notified Body — NB engagement decision guide

Further reading

• Cyber Resilience Act Annex III — Important products with digital elements
• Cyber Resilience Act Annex IV — Critical products with digital elements
• Cyber Resilience Act Article 32 — Conformity assessment of important products
• Cyber Resilience Act Article 8 — EU Cybersecurity Certification

Last reviewed: 25 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.